Package org.apache.wicket.protocol.http

Class ResourceIsolationRequestCycleListener

java.lang.Object

org.apache.wicket.protocol.http.ResourceIsolationRequestCycleListener

All Implemented Interfaces:

IRequestCycleListener

public class ResourceIsolationRequestCycleListener
extends Object
implements IRequestCycleListener

This RequestCycle listener ensures resource isolation, adding a layer of protection for modern browsers that prevent Cross-Site Request Forgery attacks.

It uses the FetchMetadataResourceIsolationPolicy and OriginResourceIsolationPolicy by default and can be customized with additional IResourceIsolationPolicys.

URL paths that are intended to be used cross-site can be excempted from these policies.

Learn more about Fetch Metadata and resource isolation at https://web.dev/fetch-metadata/

Author:

Santiago Diaz - [email protected], Ecenaz Jen Ozmen - [email protected]

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	ResourceIsolationRequestCycleListener.CsrfAction	The action to perform when the outcome of the resource isolation policy is DISALLOWED or UNKNOWN.

Field Summary

Fields

Modifier and Type	Field	Description
static String	ERROR_MESSAGE

Constructor Summary

Constructors

Constructor	Description
ResourceIsolationRequestCycleListener(IResourceIsolationPolicy... policies)	Create a new listener with the given policies.

Method Summary

Modifier and Type	Method	Description
protected void	abortHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)	Abort the request because the outcome results in ResourceIsolationRequestCycleListener.CsrfAction.ABORT.
void	addExemptedPaths(String... exemptions)
protected void	allowHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)	Allow the execution of the listener in the request because the outcome results in ResourceIsolationRequestCycleListener.CsrfAction.ALLOW.
protected boolean	isChecked(IRequestablePage targetedPage)	Override to limit whether the request to the specific page should be checked for a possible CSRF attack.
protected boolean	isChecked(org.apache.wicket.request.IRequestHandler handler)	Override to change the request handler types that are checked.
protected boolean	isEnabled()	Dynamic override for enabling/disabling the CSRF detection.
void	onBeginRequest(RequestCycle cycle)	Called when the request cycle object is beginning its response
void	onEndRequest(RequestCycle cycle)	Allow isolation policy to add headers.
void	onRequestHandlerResolved(RequestCycle cycle, org.apache.wicket.request.IRequestHandler handler)	Called when an IRequestHandler is resolved and will be executed.
ResourceIsolationRequestCycleListener	setDisallowedOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)	Sets the action when a request is disallowed by a resource isolation policy.
ResourceIsolationRequestCycleListener	setErrorCode(int errorCode)	Modifies the HTTP error code in the exception when a disallowed request is detected.
ResourceIsolationRequestCycleListener	setErrorMessage(String errorMessage)	Modifies the HTTP message in the exception when a disallowed request is detected.
ResourceIsolationRequestCycleListener	setUnknownOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)	Sets the action when none of the resource isolation policies can come to an outcome.
protected void	suppressHandler(javax.servlet.http.HttpServletRequest request, IRequestablePage page)	Suppress the execution of the listener in the request because the outcome results in ResourceIsolationRequestCycleListener.CsrfAction.SUPPRESS.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.wicket.request.cycle.IRequestCycleListener

onDetach, onException, onExceptionRequestHandlerResolved, onRequestHandlerExecuted, onRequestHandlerScheduled, onUrlMapped

Field Detail

ERROR_MESSAGE

public static final String ERROR_MESSAGE

See Also:

Constant Field Values

Constructor Detail

ResourceIsolationRequestCycleListener

public ResourceIsolationRequestCycleListener(IResourceIsolationPolicy... policies)

Create a new listener with the given policies. If no policies are given, FetchMetadataResourceIsolationPolicy and OriginResourceIsolationPolicy will be used. The policies are checked in order. The first outcome that's not IResourceIsolationPolicy.ResourceIsolationOutcome.UNKNOWN will be used.

Parameters:

policies - the policies to check requests against.

Method Detail

setUnknownOutcomeAction

public ResourceIsolationRequestCycleListener setUnknownOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)

Sets the action when none of the resource isolation policies can come to an outcome. Default ABORT.

Parameters:

action - the alternate action

Returns:

this (for chaining)

setDisallowedOutcomeAction

public ResourceIsolationRequestCycleListener setDisallowedOutcomeAction(ResourceIsolationRequestCycleListener.CsrfAction action)

Sets the action when a request is disallowed by a resource isolation policy. Default is ABORT.

Parameters:

action - the alternate action

Returns:

this

setErrorCode

public ResourceIsolationRequestCycleListener setErrorCode(int errorCode)

Modifies the HTTP error code in the exception when a disallowed request is detected.

Parameters:

errorCode - the alternate HTTP error code, default 403 FORBIDDEN

Returns:

this

setErrorMessage

public ResourceIsolationRequestCycleListener setErrorMessage(String errorMessage)

Modifies the HTTP message in the exception when a disallowed request is detected.

Parameters:

errorMessage - the alternate message

Returns:

this

addExemptedPaths

public void addExemptedPaths(String... exemptions)

onBeginRequest

public void onBeginRequest(RequestCycle cycle)

Description copied from interface: IRequestCycleListener

Called when the request cycle object is beginning its response

Specified by:

onBeginRequest in interface IRequestCycleListener

isEnabled

protected boolean isEnabled()

Dynamic override for enabling/disabling the CSRF detection. Might be handy for specific tenants in a multi-tenant application. When false, the CSRF detection is not performed for the running request. Default true

Returns:

true when the CSRF checks need to be performed.

isChecked

protected boolean isChecked(IRequestablePage targetedPage)

Override to limit whether the request to the specific page should be checked for a possible CSRF attack.

Parameters:

targetedPage - the page that is the target for the action

Returns:

true when the request to the page should be checked for CSRF issues.

isChecked

protected boolean isChecked(org.apache.wicket.request.IRequestHandler handler)

Override to change the request handler types that are checked. Currently only action handlers (form submits, link clicks, AJAX events) are checked.

Parameters:

handler - the handler that is currently processing

Returns:

true when resource isolation should be checked for this handler

onRequestHandlerResolved

public void onRequestHandlerResolved(RequestCycle cycle,
                                     org.apache.wicket.request.IRequestHandler handler)

Description copied from interface: IRequestCycleListener

Called when an IRequestHandler is resolved and will be executed.

Specified by:

onRequestHandlerResolved in interface IRequestCycleListener

onEndRequest

public void onEndRequest(RequestCycle cycle)

Allow isolation policy to add headers.

Specified by:

onEndRequest in interface IRequestCycleListener

See Also:

IResourceIsolationPolicy.setHeaders(HttpServletResponse)

allowHandler

protected void allowHandler(javax.servlet.http.HttpServletRequest request,
                            IRequestablePage page)

Allow the execution of the listener in the request because the outcome results in ResourceIsolationRequestCycleListener.CsrfAction.ALLOW.

Parameters:

request - the request

page - the page that is targeted with this request

suppressHandler

protected void suppressHandler(javax.servlet.http.HttpServletRequest request,
                               IRequestablePage page)

Suppress the execution of the listener in the request because the outcome results in ResourceIsolationRequestCycleListener.CsrfAction.SUPPRESS.

Parameters:

request - the request

page - the page that is targeted with this request

abortHandler

protected void abortHandler(javax.servlet.http.HttpServletRequest request,
                            IRequestablePage page)

Abort the request because the outcome results in ResourceIsolationRequestCycleListener.CsrfAction.ABORT.

Parameters:

request - the request

page - the page that is targeted with this request